Edit tour

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf

Overview

General Information

Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
Analysis ID:	1528449
MD5:	e1732cc9438171b1190145dc330bd5e1
SHA1:	251bb280cfc8d2758fe1ac880c4d9daf2d8fb1f4
SHA256:	da61c1e03512402c4eb51b3cab1d04b4b71a4174c04139ef277e86829d42dda3
Tags:	elf
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample deletes itself

Sample scans a subnet

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528449
Start date and time:	2024-10-07 22:49:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
Detection:	MAL
Classification:	mal68.spre.troj.spyw.evad.linELF@0/0@1/0

Warnings

VT rate limit hit for: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf

Runtime Messages

Command:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
PID:	5512
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Firmware update in progress
Standard Error:

Process Tree

system is lnxubuntu20

SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5512, Parent: 5438, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf

SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf New Fork (PID: 5522, Parent: 5512)

SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf New Fork (PID: 5525, Parent: 5522)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf

ReversingLabs: Detection: 18%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.230.228.47 ports 6036,0,1,2,5,27015,7
Source: global traffic	TCP traffic: 5.230.228.42 ports 19153,0,1,2,5,27015,7,10554
Source: global traffic	TCP traffic: 5.230.228.45 ports 0,2,5,3389,7,27050
Source: global traffic	TCP traffic: 94.131.118.154 ports 19153,1,3,5,27015,9,1935
Source: global traffic	TCP traffic: 5.230.229.83 ports 0,2,5,7,2222,27050
Source: global traffic	TCP traffic: 194.156.98.15 ports 5000,22022,0,5,3478,1935
Source: global traffic	TCP traffic: 5.230.118.247 ports 0,1,443,4,5,3389,10001,10554

Opens /sys/class/net/* files useful for querying network interface information

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5522)	Opens: /sys/class/net/	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5522)	Opens: /sys/class/net/ens160/address	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5522)	Opens: /sys/class/net/ens160/flags	Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5522)	Opens: /sys/class/net/ens160/carrier	Jump to behavior

Sample scans a subnet

Source: ip traffic

Subnet 5.230.228.0/24: 5.230.228.47, 5.230.228.42, 5.230.228.45, 5.230.228.44, 5.230.228.62

Source: global traffic	TCP traffic: 192.168.2.14:40866 -> 5.230.122.80:10001
Source: global traffic	TCP traffic: 192.168.2.14:39920 -> 5.230.229.84:9001
Source: global traffic	TCP traffic: 192.168.2.14:41704 -> 5.230.228.44:37777
Source: global traffic	TCP traffic: 192.168.2.14:48268 -> 5.230.122.82:3389
Source: global traffic	TCP traffic: 192.168.2.14:43814 -> 5.230.229.83:27050
Source: global traffic	TCP traffic: 192.168.2.14:53122 -> 5.230.171.8:2222
Source: global traffic	TCP traffic: 192.168.2.14:59074 -> 5.230.228.42:27015
Source: global traffic	TCP traffic: 192.168.2.14:45694 -> 194.156.98.15:5000
Source: global traffic	TCP traffic: 192.168.2.14:41372 -> 5.230.228.45:27050
Source: global traffic	TCP traffic: 192.168.2.14:36600 -> 5.230.122.81:37777
Source: global traffic	TCP traffic: 192.168.2.14:43614 -> 5.230.118.247:10554
Source: global traffic	TCP traffic: 192.168.2.14:59764 -> 5.230.228.47:27015
Source: global traffic	TCP traffic: 192.168.2.14:45228 -> 5.230.228.62:10554
Source: global traffic	TCP traffic: 192.168.2.14:59436 -> 94.131.118.154:27015
Source: global traffic	TCP traffic: 192.168.2.14:45060 -> 185.248.144.209:995

Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 94.131.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.80
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.84
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.44
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.229.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.171.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.42
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.228.45
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 5.230.122.81
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15
Source: unknown	TCP traffic detected without corresponding DNS query: 194.156.98.15

Source: global traffic

DNS traffic detected: DNS query: iranistrash.libre

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50566
Source: unknown	Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42530 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 42530

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal68.spre.troj.spyw.evad.linELF@0/0@1/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5512)

File: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf

Jump to behavior

Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5512)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf (PID: 5522)	Queries kernel information via 'uname':			Jump to behavior

Source: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf, 5512.1.0000563fc4802000.0000563fc4886000.rw-.sdmp	Binary or memory string: ?V5!/etc/qemu-binfmt/sh4
Source: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf, 5512.1.00007fffa5702000.00007fffa5723000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf, 5512.1.00007fffa5702000.00007fffa5723000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
Source: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf, 5512.1.0000563fc4802000.0000563fc4886000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4

HIPS / PFW / Operating System Protection Evasion

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: iranistrash.libre

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Network Service Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf	18%	ReversingLabs	Linux.Backdoor.Gafgyt

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iranistrash.libre	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.230.171.9	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.171.8	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.81	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.82	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.122.80	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.228.47	unknown	Germany	12586	ASGHOSTNETDE	true
172.217.192.127	unknown	United States	15169	GOOGLEUS	false
5.230.228.42	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.228.45	unknown	Germany	12586	ASGHOSTNETDE	true
94.131.118.154	unknown	Ukraine	29632	NASSIST-ASGI	true
5.230.228.44	unknown	Germany	12586	ASGHOSTNETDE	true
185.248.144.209	unknown	France	31531	POINT-ASUA	false
5.230.229.83	unknown	Germany	12586	ASGHOSTNETDE	true
5.230.229.84	unknown	Germany	12586	ASGHOSTNETDE	false
5.230.228.62	unknown	Germany	12586	ASGHOSTNETDE	true
194.156.98.15	unknown	Russian Federation	135330	ADCDATACOM-AS-APADCDATACOMHK	true
5.230.118.247	unknown	Germany	12586	ASGHOSTNETDE	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.230.228.42	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
5.230.171.9	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
5.230.171.8	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
5.230.122.81	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse
5.230.122.82	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
5.230.122.82	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
5.230.122.80	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse
5.230.228.47	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249
ASGHOSTNETDE	SecuriteInfo.com.ELF.Mirai-CVD.12952.14309.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.5487.13505.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.6055.9040.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-COW.15022.10577.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	SecuriteInfo.com.ELF.Mirai-CVD.15130.25224.elf	Get hash	malicious	Unknown	Browse	5.230.118.247
	dMCIAXJOD1.elf	Get hash	malicious	Unknown	Browse	5.230.228.46
	http://offersurl.shop/4xLINj83DARK5qpxdlemiob3VGFNEIWGTNIBSAK19891KTBY295f9	Get hash	malicious	Phisher	Browse	193.24.209.61
	Untitled.bash_rc.elf	Get hash	malicious	Unknown	Browse	91.238.181.239
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	193.187.23.249

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.792943206282076
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
File size:	64'140 bytes
MD5:	e1732cc9438171b1190145dc330bd5e1
SHA1:	251bb280cfc8d2758fe1ac880c4d9daf2d8fb1f4
SHA256:	da61c1e03512402c4eb51b3cab1d04b4b71a4174c04139ef277e86829d42dda3
SHA512:	446a2472fafe74c88387f0efd818a75bbf1672485e13cabb954755f408d3d364dadf87c43e98122b530d66d3aee9d554a44642a93f9055414daf6a497f2fb6a0
SSDEEP:	1536:HqrlMxpMWKhPIXv6x0UaM5USrXcTDdbLGwFmF4CV:HqrlMxpMWoPYv6BWCMTB+pF4
TLSH:	BE539F73882C7F54D15896B8B4B25F3D6B4BE506D20B3EB6659BC629804BE8CF0453F4
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@.,...,...............0...0.A.0.A......%..........Q.td............................././"O.n........#.@........#.*@,....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	63740
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0xef40	0x0	0x6	AX	32
.fini	PROGBITS	0x40f020	0xf020	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x40f044	0xf044	0x6e8	0x0	0x2	A	4
.ctors	PROGBITS	0x41f730	0xf730	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41f738	0xf738	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x41f744	0xf744	0x178	0x0	0x3	WA	4
.bss	NOBITS	0x41f8bc	0xf8bc	0x2418	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xf8bc	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xf72c	0xf72c	6.8290	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xf730	0x41f730	0x41f730	0x18c	0x25a4	1.2800	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:50:16.080976009 CEST	40534	1935	192.168.2.14	94.131.118.154
Oct 7, 2024 22:50:16.086407900 CEST	1935	40534	94.131.118.154	192.168.2.14
Oct 7, 2024 22:50:16.086502075 CEST	40534	1935	192.168.2.14	94.131.118.154
Oct 7, 2024 22:50:16.087321997 CEST	40534	1935	192.168.2.14	94.131.118.154
Oct 7, 2024 22:50:16.092334032 CEST	1935	40534	94.131.118.154	192.168.2.14
Oct 7, 2024 22:50:17.711023092 CEST	1935	40534	94.131.118.154	192.168.2.14
Oct 7, 2024 22:50:17.711584091 CEST	40534	1935	192.168.2.14	94.131.118.154
Oct 7, 2024 22:50:17.716572046 CEST	1935	40534	94.131.118.154	192.168.2.14
Oct 7, 2024 22:50:19.713346958 CEST	40866	10001	192.168.2.14	5.230.122.80
Oct 7, 2024 22:50:19.721158028 CEST	10001	40866	5.230.122.80	192.168.2.14
Oct 7, 2024 22:50:19.721254110 CEST	40866	10001	192.168.2.14	5.230.122.80
Oct 7, 2024 22:50:19.721291065 CEST	40866	10001	192.168.2.14	5.230.122.80
Oct 7, 2024 22:50:19.726457119 CEST	10001	40866	5.230.122.80	192.168.2.14
Oct 7, 2024 22:50:21.889484882 CEST	10001	40866	5.230.122.80	192.168.2.14
Oct 7, 2024 22:50:21.890089035 CEST	40866	10001	192.168.2.14	5.230.122.80
Oct 7, 2024 22:50:21.895224094 CEST	10001	40866	5.230.122.80	192.168.2.14
Oct 7, 2024 22:50:24.892796040 CEST	39920	9001	192.168.2.14	5.230.229.84
Oct 7, 2024 22:50:24.898123980 CEST	9001	39920	5.230.229.84	192.168.2.14
Oct 7, 2024 22:50:24.898293972 CEST	39920	9001	192.168.2.14	5.230.229.84
Oct 7, 2024 22:50:24.898355007 CEST	39920	9001	192.168.2.14	5.230.229.84
Oct 7, 2024 22:50:24.903496027 CEST	9001	39920	5.230.229.84	192.168.2.14
Oct 7, 2024 22:50:27.070297956 CEST	9001	39920	5.230.229.84	192.168.2.14
Oct 7, 2024 22:50:27.070791006 CEST	39920	9001	192.168.2.14	5.230.229.84
Oct 7, 2024 22:50:27.076380014 CEST	9001	39920	5.230.229.84	192.168.2.14
Oct 7, 2024 22:50:29.076508999 CEST	41704	37777	192.168.2.14	5.230.228.44
Oct 7, 2024 22:50:29.083302021 CEST	37777	41704	5.230.228.44	192.168.2.14
Oct 7, 2024 22:50:29.083452940 CEST	41704	37777	192.168.2.14	5.230.228.44
Oct 7, 2024 22:50:29.083636045 CEST	41704	37777	192.168.2.14	5.230.228.44
Oct 7, 2024 22:50:29.090801954 CEST	37777	41704	5.230.228.44	192.168.2.14
Oct 7, 2024 22:50:30.741868019 CEST	37777	41704	5.230.228.44	192.168.2.14
Oct 7, 2024 22:50:30.742563963 CEST	41704	37777	192.168.2.14	5.230.228.44
Oct 7, 2024 22:50:30.748020887 CEST	37777	41704	5.230.228.44	192.168.2.14
Oct 7, 2024 22:50:31.746671915 CEST	48268	3389	192.168.2.14	5.230.122.82
Oct 7, 2024 22:50:31.752207041 CEST	3389	48268	5.230.122.82	192.168.2.14
Oct 7, 2024 22:50:31.752317905 CEST	48268	3389	192.168.2.14	5.230.122.82
Oct 7, 2024 22:50:31.752379894 CEST	48268	3389	192.168.2.14	5.230.122.82
Oct 7, 2024 22:50:31.757409096 CEST	3389	48268	5.230.122.82	192.168.2.14
Oct 7, 2024 22:50:33.927895069 CEST	3389	48268	5.230.122.82	192.168.2.14
Oct 7, 2024 22:50:33.928563118 CEST	48268	3389	192.168.2.14	5.230.122.82
Oct 7, 2024 22:50:33.933655024 CEST	3389	48268	5.230.122.82	192.168.2.14
Oct 7, 2024 22:50:36.932246923 CEST	43814	27050	192.168.2.14	5.230.229.83
Oct 7, 2024 22:50:36.938309908 CEST	27050	43814	5.230.229.83	192.168.2.14
Oct 7, 2024 22:50:36.938421965 CEST	43814	27050	192.168.2.14	5.230.229.83
Oct 7, 2024 22:50:36.938499928 CEST	43814	27050	192.168.2.14	5.230.229.83
Oct 7, 2024 22:50:36.944567919 CEST	27050	43814	5.230.229.83	192.168.2.14
Oct 7, 2024 22:50:38.615381002 CEST	27050	43814	5.230.229.83	192.168.2.14
Oct 7, 2024 22:50:38.615998030 CEST	43814	27050	192.168.2.14	5.230.229.83
Oct 7, 2024 22:50:38.621376038 CEST	27050	43814	5.230.229.83	192.168.2.14
Oct 7, 2024 22:50:40.620001078 CEST	53122	2222	192.168.2.14	5.230.171.8
Oct 7, 2024 22:50:40.625303030 CEST	2222	53122	5.230.171.8	192.168.2.14
Oct 7, 2024 22:50:40.625401020 CEST	53122	2222	192.168.2.14	5.230.171.8
Oct 7, 2024 22:50:40.625487089 CEST	53122	2222	192.168.2.14	5.230.171.8
Oct 7, 2024 22:50:40.630567074 CEST	2222	53122	5.230.171.8	192.168.2.14
Oct 7, 2024 22:50:42.488277912 CEST	2222	53122	5.230.171.8	192.168.2.14
Oct 7, 2024 22:50:42.489581108 CEST	53122	2222	192.168.2.14	5.230.171.8
Oct 7, 2024 22:50:42.494837999 CEST	2222	53122	5.230.171.8	192.168.2.14
Oct 7, 2024 22:50:43.495680094 CEST	59074	27015	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:43.501357079 CEST	27015	59074	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:43.501584053 CEST	59074	27015	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:43.501892090 CEST	59074	27015	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:43.507339954 CEST	27015	59074	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:45.149007082 CEST	27015	59074	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:45.150162935 CEST	59074	27015	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:45.155771971 CEST	27015	59074	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:46.155755043 CEST	34178	10554	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:46.161115885 CEST	10554	34178	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:46.161272049 CEST	34178	10554	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:46.161539078 CEST	34178	10554	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:46.166887999 CEST	10554	34178	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:47.821721077 CEST	10554	34178	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:47.822432041 CEST	34178	10554	192.168.2.14	5.230.228.42
Oct 7, 2024 22:50:47.827317953 CEST	10554	34178	5.230.228.42	192.168.2.14
Oct 7, 2024 22:50:48.826014996 CEST	45694	5000	192.168.2.14	194.156.98.15
Oct 7, 2024 22:50:48.831263065 CEST	5000	45694	194.156.98.15	192.168.2.14
Oct 7, 2024 22:50:48.831471920 CEST	45694	5000	192.168.2.14	194.156.98.15
Oct 7, 2024 22:50:48.831523895 CEST	45694	5000	192.168.2.14	194.156.98.15
Oct 7, 2024 22:50:48.836406946 CEST	5000	45694	194.156.98.15	192.168.2.14
Oct 7, 2024 22:50:50.842766047 CEST	5000	45694	194.156.98.15	192.168.2.14
Oct 7, 2024 22:50:50.843583107 CEST	45694	5000	192.168.2.14	194.156.98.15
Oct 7, 2024 22:50:50.850877047 CEST	5000	45694	194.156.98.15	192.168.2.14
Oct 7, 2024 22:50:53.847095966 CEST	41372	27050	192.168.2.14	5.230.228.45
Oct 7, 2024 22:50:53.853302956 CEST	27050	41372	5.230.228.45	192.168.2.14
Oct 7, 2024 22:50:53.853436947 CEST	41372	27050	192.168.2.14	5.230.228.45
Oct 7, 2024 22:50:53.853472948 CEST	41372	27050	192.168.2.14	5.230.228.45
Oct 7, 2024 22:50:53.858335972 CEST	27050	41372	5.230.228.45	192.168.2.14
Oct 7, 2024 22:50:55.525659084 CEST	27050	41372	5.230.228.45	192.168.2.14
Oct 7, 2024 22:50:55.526504993 CEST	41372	27050	192.168.2.14	5.230.228.45
Oct 7, 2024 22:50:55.531568050 CEST	27050	41372	5.230.228.45	192.168.2.14
Oct 7, 2024 22:50:57.529510021 CEST	36600	37777	192.168.2.14	5.230.122.81
Oct 7, 2024 22:50:57.534605980 CEST	37777	36600	5.230.122.81	192.168.2.14
Oct 7, 2024 22:50:57.534696102 CEST	36600	37777	192.168.2.14	5.230.122.81
Oct 7, 2024 22:50:57.534784079 CEST	36600	37777	192.168.2.14	5.230.122.81
Oct 7, 2024 22:50:57.540416956 CEST	37777	36600	5.230.122.81	192.168.2.14
Oct 7, 2024 22:50:59.675261021 CEST	37777	36600	5.230.122.81	192.168.2.14
Oct 7, 2024 22:50:59.675757885 CEST	36600	37777	192.168.2.14	5.230.122.81
Oct 7, 2024 22:50:59.681538105 CEST	37777	36600	5.230.122.81	192.168.2.14
Oct 7, 2024 22:51:00.680425882 CEST	36000	1935	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:00.709481001 CEST	1935	36000	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:00.709656000 CEST	36000	1935	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:00.710068941 CEST	36000	1935	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:00.715297937 CEST	1935	36000	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:02.718852043 CEST	1935	36000	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:02.719860077 CEST	36000	1935	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:02.725032091 CEST	1935	36000	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:04.724312067 CEST	35594	6036	192.168.2.14	5.230.122.80
Oct 7, 2024 22:51:04.729656935 CEST	6036	35594	5.230.122.80	192.168.2.14
Oct 7, 2024 22:51:04.729758978 CEST	35594	6036	192.168.2.14	5.230.122.80
Oct 7, 2024 22:51:04.729979038 CEST	35594	6036	192.168.2.14	5.230.122.80
Oct 7, 2024 22:51:04.734949112 CEST	6036	35594	5.230.122.80	192.168.2.14
Oct 7, 2024 22:51:06.922683001 CEST	6036	35594	5.230.122.80	192.168.2.14
Oct 7, 2024 22:51:06.923365116 CEST	35594	6036	192.168.2.14	5.230.122.80
Oct 7, 2024 22:51:06.928587914 CEST	6036	35594	5.230.122.80	192.168.2.14
Oct 7, 2024 22:51:09.926659107 CEST	43614	10554	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:09.932961941 CEST	10554	43614	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:09.933063984 CEST	43614	10554	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:09.933128119 CEST	43614	10554	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:09.938678980 CEST	10554	43614	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:11.776328087 CEST	10554	43614	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:11.776985884 CEST	43614	10554	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:11.782104969 CEST	10554	43614	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:13.782252073 CEST	49512	10001	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:13.787338972 CEST	10001	49512	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:13.787426949 CEST	49512	10001	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:13.787668943 CEST	49512	10001	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:13.792711020 CEST	10001	49512	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:15.654953957 CEST	10001	49512	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:15.655560970 CEST	49512	10001	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:15.660640955 CEST	10001	49512	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:18.658968925 CEST	50566	443	192.168.2.14	5.230.171.9
Oct 7, 2024 22:51:18.659085989 CEST	443	50566	5.230.171.9	192.168.2.14
Oct 7, 2024 22:51:18.659518003 CEST	50566	443	192.168.2.14	5.230.171.9
Oct 7, 2024 22:51:18.660197973 CEST	50566	443	192.168.2.14	5.230.171.9
Oct 7, 2024 22:51:18.660234928 CEST	443	50566	5.230.171.9	192.168.2.14
Oct 7, 2024 22:51:18.660363913 CEST	443	50566	5.230.171.9	192.168.2.14
Oct 7, 2024 22:51:20.663356066 CEST	57112	5223	192.168.2.14	185.248.144.209
Oct 7, 2024 22:51:20.669131041 CEST	5223	57112	185.248.144.209	192.168.2.14
Oct 7, 2024 22:51:20.669414997 CEST	57112	5223	192.168.2.14	185.248.144.209
Oct 7, 2024 22:51:20.669457912 CEST	57112	5223	192.168.2.14	185.248.144.209
Oct 7, 2024 22:51:20.674890041 CEST	5223	57112	185.248.144.209	192.168.2.14
Oct 7, 2024 22:51:22.348941088 CEST	5223	57112	185.248.144.209	192.168.2.14
Oct 7, 2024 22:51:22.349499941 CEST	57112	5223	192.168.2.14	185.248.144.209
Oct 7, 2024 22:51:22.349664927 CEST	57112	5223	192.168.2.14	185.248.144.209
Oct 7, 2024 22:51:22.357527971 CEST	5223	57112	185.248.144.209	192.168.2.14
Oct 7, 2024 22:51:25.354036093 CEST	36800	27050	192.168.2.14	5.230.228.44
Oct 7, 2024 22:51:25.359563112 CEST	27050	36800	5.230.228.44	192.168.2.14
Oct 7, 2024 22:51:25.359761953 CEST	36800	27050	192.168.2.14	5.230.228.44
Oct 7, 2024 22:51:25.359983921 CEST	36800	27050	192.168.2.14	5.230.228.44
Oct 7, 2024 22:51:25.366410971 CEST	27050	36800	5.230.228.44	192.168.2.14
Oct 7, 2024 22:51:27.026007891 CEST	27050	36800	5.230.228.44	192.168.2.14
Oct 7, 2024 22:51:27.026912928 CEST	36800	27050	192.168.2.14	5.230.228.44
Oct 7, 2024 22:51:27.032331944 CEST	27050	36800	5.230.228.44	192.168.2.14
Oct 7, 2024 22:51:28.031550884 CEST	34066	3389	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:28.036914110 CEST	3389	34066	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:28.037039042 CEST	34066	3389	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:28.037118912 CEST	34066	3389	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:28.042413950 CEST	3389	34066	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:29.905819893 CEST	3389	34066	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:29.906270027 CEST	34066	3389	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:29.911292076 CEST	3389	34066	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:32.909883022 CEST	59764	27015	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:32.915258884 CEST	27015	59764	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:32.915411949 CEST	59764	27015	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:32.915508032 CEST	59764	27015	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:32.920547009 CEST	27015	59764	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:34.582513094 CEST	27015	59764	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:34.583504915 CEST	59764	27015	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:34.589174032 CEST	27015	59764	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:36.588143110 CEST	42530	443	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:36.588243961 CEST	443	42530	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:36.588323116 CEST	42530	443	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:36.588823080 CEST	42530	443	192.168.2.14	5.230.118.247
Oct 7, 2024 22:51:36.588859081 CEST	443	42530	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:36.589169025 CEST	443	42530	5.230.118.247	192.168.2.14
Oct 7, 2024 22:51:39.592859030 CEST	40658	6036	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:39.598402023 CEST	6036	40658	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:39.598740101 CEST	40658	6036	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:39.598740101 CEST	40658	6036	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:39.604132891 CEST	6036	40658	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:41.268712997 CEST	6036	40658	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:41.269516945 CEST	40658	6036	192.168.2.14	5.230.228.47
Oct 7, 2024 22:51:41.274899006 CEST	6036	40658	5.230.228.47	192.168.2.14
Oct 7, 2024 22:51:42.273482084 CEST	46698	22022	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:42.279228926 CEST	22022	46698	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:42.279537916 CEST	46698	22022	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:42.279650927 CEST	46698	22022	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:42.284862041 CEST	22022	46698	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:44.276787996 CEST	22022	46698	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:44.277784109 CEST	46698	22022	192.168.2.14	194.156.98.15
Oct 7, 2024 22:51:44.282958031 CEST	22022	46698	194.156.98.15	192.168.2.14
Oct 7, 2024 22:51:47.283132076 CEST	45370	2222	192.168.2.14	5.230.229.83
Oct 7, 2024 22:51:47.288397074 CEST	2222	45370	5.230.229.83	192.168.2.14
Oct 7, 2024 22:51:47.288506985 CEST	45370	2222	192.168.2.14	5.230.229.83
Oct 7, 2024 22:51:47.288651943 CEST	45370	2222	192.168.2.14	5.230.229.83
Oct 7, 2024 22:51:47.293617010 CEST	2222	45370	5.230.229.83	192.168.2.14
Oct 7, 2024 22:51:48.977399111 CEST	2222	45370	5.230.229.83	192.168.2.14
Oct 7, 2024 22:51:48.978409052 CEST	45370	2222	192.168.2.14	5.230.229.83
Oct 7, 2024 22:51:48.986934900 CEST	2222	45370	5.230.229.83	192.168.2.14
Oct 7, 2024 22:51:50.981661081 CEST	45228	10554	192.168.2.14	5.230.228.62
Oct 7, 2024 22:51:50.989433050 CEST	10554	45228	5.230.228.62	192.168.2.14
Oct 7, 2024 22:51:50.989581108 CEST	45228	10554	192.168.2.14	5.230.228.62
Oct 7, 2024 22:51:50.989618063 CEST	45228	10554	192.168.2.14	5.230.228.62
Oct 7, 2024 22:51:50.994549036 CEST	10554	45228	5.230.228.62	192.168.2.14
Oct 7, 2024 22:51:52.660242081 CEST	10554	45228	5.230.228.62	192.168.2.14
Oct 7, 2024 22:51:52.661139011 CEST	45228	10554	192.168.2.14	5.230.228.62
Oct 7, 2024 22:51:52.666162014 CEST	10554	45228	5.230.228.62	192.168.2.14
Oct 7, 2024 22:51:55.665493011 CEST	59436	27015	192.168.2.14	94.131.118.154
Oct 7, 2024 22:51:55.671185017 CEST	27015	59436	94.131.118.154	192.168.2.14
Oct 7, 2024 22:51:55.671279907 CEST	59436	27015	192.168.2.14	94.131.118.154
Oct 7, 2024 22:51:55.671335936 CEST	59436	27015	192.168.2.14	94.131.118.154
Oct 7, 2024 22:51:55.676414967 CEST	27015	59436	94.131.118.154	192.168.2.14
Oct 7, 2024 22:51:57.275289059 CEST	27015	59436	94.131.118.154	192.168.2.14
Oct 7, 2024 22:51:57.275572062 CEST	59436	27015	192.168.2.14	94.131.118.154
Oct 7, 2024 22:51:57.280643940 CEST	27015	59436	94.131.118.154	192.168.2.14
Oct 7, 2024 22:51:58.279222012 CEST	40582	19153	192.168.2.14	5.230.228.42
Oct 7, 2024 22:51:58.284693003 CEST	19153	40582	5.230.228.42	192.168.2.14
Oct 7, 2024 22:51:58.284957886 CEST	40582	19153	192.168.2.14	5.230.228.42
Oct 7, 2024 22:51:58.284957886 CEST	40582	19153	192.168.2.14	5.230.228.42
Oct 7, 2024 22:51:58.289926052 CEST	19153	40582	5.230.228.42	192.168.2.14
Oct 7, 2024 22:51:59.969760895 CEST	19153	40582	5.230.228.42	192.168.2.14
Oct 7, 2024 22:51:59.970726967 CEST	40582	19153	192.168.2.14	5.230.228.42
Oct 7, 2024 22:51:59.975817919 CEST	19153	40582	5.230.228.42	192.168.2.14
Oct 7, 2024 22:52:01.975444078 CEST	50778	3478	192.168.2.14	194.156.98.15
Oct 7, 2024 22:52:01.980891943 CEST	3478	50778	194.156.98.15	192.168.2.14
Oct 7, 2024 22:52:01.981005907 CEST	50778	3478	192.168.2.14	194.156.98.15
Oct 7, 2024 22:52:01.981184959 CEST	50778	3478	192.168.2.14	194.156.98.15
Oct 7, 2024 22:52:01.986300945 CEST	3478	50778	194.156.98.15	192.168.2.14
Oct 7, 2024 22:52:03.980424881 CEST	3478	50778	194.156.98.15	192.168.2.14
Oct 7, 2024 22:52:03.981242895 CEST	50778	3478	192.168.2.14	194.156.98.15
Oct 7, 2024 22:52:03.986759901 CEST	3478	50778	194.156.98.15	192.168.2.14
Oct 7, 2024 22:52:04.984299898 CEST	39894	19153	192.168.2.14	94.131.118.154
Oct 7, 2024 22:52:04.989505053 CEST	19153	39894	94.131.118.154	192.168.2.14
Oct 7, 2024 22:52:04.989737034 CEST	39894	19153	192.168.2.14	94.131.118.154
Oct 7, 2024 22:52:04.989783049 CEST	39894	19153	192.168.2.14	94.131.118.154
Oct 7, 2024 22:52:04.994679928 CEST	19153	39894	94.131.118.154	192.168.2.14
Oct 7, 2024 22:52:06.588428020 CEST	19153	39894	94.131.118.154	192.168.2.14
Oct 7, 2024 22:52:06.588926077 CEST	39894	19153	192.168.2.14	94.131.118.154
Oct 7, 2024 22:52:06.593811035 CEST	19153	39894	94.131.118.154	192.168.2.14
Oct 7, 2024 22:52:07.593859911 CEST	33706	27015	192.168.2.14	5.230.171.8
Oct 7, 2024 22:52:07.599201918 CEST	27015	33706	5.230.171.8	192.168.2.14
Oct 7, 2024 22:52:07.599430084 CEST	33706	27015	192.168.2.14	5.230.171.8
Oct 7, 2024 22:52:07.599601030 CEST	33706	27015	192.168.2.14	5.230.171.8
Oct 7, 2024 22:52:07.604717970 CEST	27015	33706	5.230.171.8	192.168.2.14
Oct 7, 2024 22:52:09.454474926 CEST	27015	33706	5.230.171.8	192.168.2.14
Oct 7, 2024 22:52:09.455377102 CEST	33706	27015	192.168.2.14	5.230.171.8
Oct 7, 2024 22:52:09.460679054 CEST	27015	33706	5.230.171.8	192.168.2.14
Oct 7, 2024 22:52:12.458786011 CEST	60696	3389	192.168.2.14	5.230.228.45
Oct 7, 2024 22:52:12.463706970 CEST	3389	60696	5.230.228.45	192.168.2.14
Oct 7, 2024 22:52:12.464070082 CEST	60696	3389	192.168.2.14	5.230.228.45
Oct 7, 2024 22:52:12.464071035 CEST	60696	3389	192.168.2.14	5.230.228.45
Oct 7, 2024 22:52:12.469068050 CEST	3389	60696	5.230.228.45	192.168.2.14
Oct 7, 2024 22:52:14.114887953 CEST	3389	60696	5.230.228.45	192.168.2.14
Oct 7, 2024 22:52:14.115263939 CEST	60696	3389	192.168.2.14	5.230.228.45
Oct 7, 2024 22:52:14.120214939 CEST	3389	60696	5.230.228.45	192.168.2.14
Oct 7, 2024 22:52:15.118765116 CEST	53836	3389	192.168.2.14	5.230.229.84
Oct 7, 2024 22:52:15.124749899 CEST	3389	53836	5.230.229.84	192.168.2.14
Oct 7, 2024 22:52:15.124900103 CEST	53836	3389	192.168.2.14	5.230.229.84
Oct 7, 2024 22:52:15.125076056 CEST	53836	3389	192.168.2.14	5.230.229.84
Oct 7, 2024 22:52:15.131030083 CEST	3389	53836	5.230.229.84	192.168.2.14
Oct 7, 2024 22:52:17.267951012 CEST	3389	53836	5.230.229.84	192.168.2.14
Oct 7, 2024 22:52:17.268640041 CEST	53836	3389	192.168.2.14	5.230.229.84
Oct 7, 2024 22:52:17.273566008 CEST	3389	53836	5.230.229.84	192.168.2.14
Oct 7, 2024 22:52:18.272049904 CEST	45060	995	192.168.2.14	185.248.144.209
Oct 7, 2024 22:52:18.277280092 CEST	995	45060	185.248.144.209	192.168.2.14
Oct 7, 2024 22:52:18.277477026 CEST	45060	995	192.168.2.14	185.248.144.209
Oct 7, 2024 22:52:18.277477026 CEST	45060	995	192.168.2.14	185.248.144.209
Oct 7, 2024 22:52:18.283083916 CEST	995	45060	185.248.144.209	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:50:15.389879942 CEST	21087	3478	192.168.2.14	172.217.192.127
Oct 7, 2024 22:50:16.033418894 CEST	3478	21087	172.217.192.127	192.168.2.14
Oct 7, 2024 22:50:16.038151026 CEST	59532	53	192.168.2.14	185.181.61.24
Oct 7, 2024 22:50:16.079066992 CEST	53	59532	185.181.61.24	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:50:16.038151026 CEST	192.168.2.14	185.181.61.24	0x5b60	Standard query (0)	iranistrash.libre	16	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:50:16.079066992 CEST	185.181.61.24	192.168.2.14	0x5b60	No error (0)	iranistrash.libre			TXT (Text strings)	IN (0x0001)	false

System Behavior

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf PID: 5512, Parent PID: 5438

General

Start time (UTC):	20:50:11
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
Arguments:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf PID: 5522, Parent PID: 5512

General

Start time (UTC):	20:50:14
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf PID: 5525, Parent PID: 5522

General

Start time (UTC):	20:50:14
Start date (UTC):	07/10/2024
Path:	/tmp/SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf
Arguments:	-
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Tactics:	Discovery
Data Sources:	Cloud Service: Cloud Service Enumeration, Command: Command Execution, Network Traffic: Network Traffic Flow
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf PID: 5512, Parent PID: 5438

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf PID: 5522, Parent PID: 5512

General

Chronological Activities

Analysis Process: SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf PID: 5525, Parent PID: 5522

General

Chronological Activities

Linux Analysis Report
SecuriteInfo.com.ELF.Mirai-CVD.11330.22523.elf